Detecting failure of layer 2 service using broadcast messages

ABSTRACT

Some embodiments provide a method for detecting a failure of a layer 2 (L2) bump-in-the-wire service at a device. In some embodiments, the device sends heartbeat signals to a second device connected to L2 service nodes in order to detect failure of the L2 service (e.g., a failure of all the service nodes). In some embodiments, the heartbeat signals are unidirectional heartbeat signals (e.g., a unidirectional bidirectional-forwarding-detection (BFD) session) sent from each device to the other. The heartbeat signals, in some embodiments, use a broadcast MAC address in order to reach the current active L2 service node in the case of a failover (i.e., an active service node failing and a standby service node becoming the new active service node). The unidirectional heartbeat signals are also used, in some embodiments, to decrease the time between a failover and data messages being forwarded to the new active service node.

BACKGROUND

In a software defined network, a set of gateway devices (e.g., EdgeNodes) connecting the internal virtualized network and an externalnetwork may have a layer 2 bump in the wire service (i.e., a servicethat does not change the layer 2 addresses of a processed data message)inserted in the processing pipeline. Failure of the layer 2 service isdifficult to detect in some instances. When a backup layer 2 servicenode is provided and a primary layer 2 service node fails, the gatewaydevice must begin sending the data messages to the backup layer 2service node. A method for learning of the failure and quicklyredirecting data messages to the backup layer 2 service node isnecessary.

BRIEF SUMMARY

Some embodiments provide a method for providing a layer 2 (L2)bump-in-the-wire service at a gateway device (e.g., a layer 3 (L3)gateway device) at the edge of a logical network. The method, in someembodiments, establishes a connection from a first interface of thegateway device to a service node that provides the L2 service. Themethod also establishes a connection from a second interface of thegateway device to the L2 service node. The method then sends datamessages received by the gateway device that require the L2 service tothe service node using the first interface. In some embodiments,north-to-south traffic (i.e., from the external network to the logicalnetwork) is sent to the service node using the first interface while thesouth-to-north traffic is sent to the service node using the secondinterface.

Some embodiments provide a method for applying different policies at theservice node for different tenants of a datacenter. Data messagesreceived for a particular tenant that require the L2 service areencapsulated or marked as belonging to the tenant before being sent tothe service node. Based on the encapsulation or marking, the servicenode provides the service according to policies defined for the tenant.

The first and second interfaces of the gateway devices have differentinternet protocol (IP) addresses and media access control (MAC)addresses in some embodiments. The IP addresses, in some embodiments,are not used to communicate with devices of external networks and canhave internal IP addresses used within the logical network. The next hopMAC address for a data message requiring the L2 service sent from thefirst interface will be the MAC address of the second interface and willarrive at the second interface with the destination MAC addressunchanged by the service node. In some embodiments, interfaces forconnecting to the L2 service are disabled on standby gateway devices ofthe logical network and are enabled on only an active gateway device.

Connections to the service node, in some embodiments, are made throughlayer 2 switches. In some embodiments, each interface connects to adifferent switch connected to the service node. The service node, insome embodiments, is a cluster of service nodes in an active-standbyconfiguration that each connect to the same pair of switches. In someembodiments of an active-standby configuration, an active service nodeprovides the L2 service while the standby service nodes drop all datamessages that they receive. Failover between the active and standbyservice nodes is handled by the L2 service nodes with no involvement ofthe L3 gateway device in some embodiments.

The gateway device, in some embodiments, sends heartbeat signals betweenthe two interfaces connected to the L2 service nodes in order to detectfailure of the L2 service (e.g., a failure of all the service nodes). Insome embodiments, the heartbeat signals are unidirectional heartbeatsignals (e.g., a unidirectional bidirectional-forwarding-detection (BFD)session) sent from each interface to the other. The heartbeat signals,in some embodiments, use the IP address of the destination interface asthe destination IP address, but use a broadcast MAC address in order toreach the current active L2 service node in the case of a failover(i.e., an active service node failing and a standby service nodebecoming the new active service node).

Additional embodiments utilize the unidirectional broadcast heartbeatsignals to decrease the time between a failover and data messages beingforwarded to the new active service node as well as detect a failure ofthe service node cluster. In embodiments with an L2 bump-in-the-wireservice between any two interfaces (e.g., between interfaces of twodevices, or between two interfaces of a same device) an architectureusing different L2 switches between each interface and the service nodecluster is used in conjunction with the unidirectional broadcastheartbeat signals to reduce the time to redirect data messages to thenew active service node.

In some embodiments, the switches connecting the interfaces to theservice node cluster associate MAC addresses with particular ports ofthe switch based on incoming data messages. For example, a data messagereceived at the switch on a first port with a source MAC address “MAC1”(e.g., a 48-bit MAC address of the first interface) will cause theswitch to associate the first port with the MAC address MAC1 and futuredata messages with destination address MAC1 will be sent out of theswitch from the first port. By sending the heartbeat data messages tothe other interface with shorter time intervals between heartbeats thana timeout of a MAC address association (i.e., the time interval beforean association between a MAC address and a port is removed) the ports ofthe switches attached to the active service node can be associated withthe correct MAC addresses for the two interfaces more quickly. As astandby node becomes an active node, the broadcast heartbeat datamessages will be received and processed by the newly-active service nodeand the switches will associate the ports connected to the newly-activeservice node with the appropriate MAC addresses of the two interfaces.

The preceding Summary is intended to serve as a brief introduction tosome embodiments of the invention. It is not meant to be an introductionor overview of all inventive subject matter disclosed in this document.The Detailed Description that follows and the Drawings that are referredto in the Detailed Description will further describe the embodimentsdescribed in the Summary as well as other embodiments. Accordingly, tounderstand all the embodiments described by this document, a full reviewof the Summary, Detailed Description, and the Drawings is needed.Moreover, the claimed subject matters are not to be limited by theillustrative details in the Summary, Detailed Description, and theDrawings, but rather are to be defined by the appended claims, becausethe claimed subject matters can be embodied in other specific formswithout departing from the spirit of the subject matters.

BRIEF DESCRIPTION OF THE DRAWINGS

The novel features of the invention are set forth in the appendedclaims. However, for purposes of explanation, several embodiments of theinvention are set forth in the following figures.

FIG. 1 conceptually illustrates a system in which some on theembodiments of the invention are performed.

FIG. 2 conceptually illustrates a process to establish two connectionsfrom a device to a layer 2 bump-in-the-wire service node for the servicenode to provide a service to data messages.

FIG. 3 conceptually illustrates an embodiment in which an L2 service isprovided between two devices by a cluster of service nodes.

FIG. 4 conceptually illustrates a process for detecting failure usingthe heartbeat signals.

FIG. 5 conceptually illustrates a process performed by a service node insome embodiments.

FIG. 6 conceptually illustrates a process performed by the switches, insome embodiments, to facilitate failover without the device, or devices,that send data messages to the service node cluster being aware of aservice node cluster failover operation.

FIGS. 7A-B conceptually illustrate the flow of data messages in a singledevice embodiment for learning MAC addresses.

FIG. 8 conceptually illustrates the processing of a data messagerequiring a service provided by the service node cluster after theswitches have learned MAC address/interface associations from the datamessages depicted in FIGS. 7A-B or in other ways, such as by using anaddress resolution protocol (ARP) operation.

FIGS. 9A-B conceptually illustrate the path of a data message after afailover, before and after a subsequent heartbeat message is sent froman interface of a device.

FIGS. 10A-B conceptually illustrate an embodiment in which the heartbeatdata messages are used to detect failure of a service node cluster asdiscussed in relation to FIG. 4 .

FIG. 11 illustrates an embodiment including gateway devices in anactive-standby configuration at a border between two networks.

FIG. 12 conceptually illustrates an electronic system with which someembodiments of the invention are implemented.

DETAILED DESCRIPTION

In the following description, numerous details are set forth for thepurpose of explanation. However, one of ordinary skill in the art willrealize that the invention may be practiced without the use of thesespecific details. In other instances, well-known structures and devicesare shown in block diagram form in order not to obscure the descriptionof the invention with unnecessary detail.

Some embodiments provide a method for providing a layer 2 (L2)bump-in-the-wire service at a gateway device (e.g., a layer 3 (L3)gateway device) at the edge of a logical network. The method, in someembodiments, establishes a connection from a first interface of thegateway device to a service node that provides the L2 service. Themethod also establishes a connection from a second interface of thegateway device to the L2 service node. The method then sends datamessages received by the gateway device that require the L2 service tothe service node using the first interface. In some embodiments,north-to-south traffic (i.e., from the external network to the logicalnetwork) is sent to the service node using the first interface while thesouth-to-north traffic is sent to the service node using the secondinterface.

As used in this document, the term data packet, packet, data message, ormessage refers to a collection of bits in a particular format sentacross a network. It should be understood that the term data packet,packet, data message, or message may be used herein to refer to variousformatted collections of bits that may be sent across a network, such asEthernet frames, IP packets, TCP segments, UDP datagrams, etc. While theexamples below refer to data packets, packets, data messages, ormessages, it should be understood that the invention should not belimited to any specific format or type of data message. Also, as used inthis document, references to L2, L3, L4, and L7 layers (or layer 2,layer 3, layer 4, layer 7) are references to the second data link layer,the third network layer, the fourth transport layer, and the seventhapplication layer of the OSI (Open System Interconnection) layer model,respectively.

FIG. 1 conceptually illustrates a system in which some on theembodiments of the invention are performed. FIG. 1 depicts a gatewaydevice 101 that serves as the gateway between a network 110 (e.g., anuntrusted network) and a set of tenant networks 120 (e.g., a set oftrusted networks that are logical networks in some embodiments). In someembodiments, the gateway device implements a tier 0 (T0) logical routerthat is shared by multiple tenant networks, each of which connect to theT0 logical router through a unique interface (e.g. logical interface)using a tenant (or tier 1 (T1)) logical router. The gateway device 101also includes a set of interfaces 130 used to connect to a service node102 that provides a layer 2 (L2) bump-in-the-wire service (e.g., afirewall, load balancing, network address translation (NAT), or virtualprivate network (VPN) service) through switches 103.

In some embodiments, gateway device 101 allows for per-tenant policiesto be applied by the service node 102 by appending a context (e.g.,encapsulation or other marking) to a data message sent to service node102 with a tenant identifier (e.g., a virtual local area network (VLAN)tag that is associated with a particular tenant's policies). In FIG. 1 ,service node 102 is shown with a set of three logical interfaces,labeled 1-3 (corresponding to tenants 1-3), each connected to oneinterface of the two switches 103 (e.g., using VLAN trunking). Thelogical interfaces, in some embodiments, correspond to a single physicalinterface of the service node 102. Service node 102, in someembodiments, represents a cluster of service nodes that provide the L2service. In some embodiments utilizing a cluster of service nodes, theservice nodes are configured in an active-standby configuration with oneservice node performing the L2 service with the additional service nodesin the cluster acting as standby service nodes in case the activeservice node fails.

FIG. 1 also depicts a datapath for data messages requiring the L2service (depicted as the dotted line between two interfaces of gatewaydevice 101). The datapath ignores the datapath outside of the gatewaydevice, as the data message may be received from, and destined for, anyof the networks 110 or 120A-C. Gateway device 101 is depicted as agateway device, but one of ordinary skill in the art would understandthat the device, in some embodiments, is at a different point in thenetwork that requires an L2 bump-in-the-wire service.

Gateway device 101, in some embodiments, is a host computing machinethat executes an edge node program. In some embodiments, the edge nodeprogram includes at least one managed forwarding element (e.g. a managedrouting element, managed switching element, or both), that implements aset of logical forwarding elements of a set of logical networks for aset of tenants. Further details relating to implementing logicalnetworks using gateway devices (e.g., edge nodes) are found in U.S. Pat.No. 9,787,605 which is hereby incorporated by reference. Further detailsof the elements of FIG. 1 are described below in the discussion of FIG.2 .

FIG. 2 conceptually illustrates a process 200 to establish twoconnections from a device (e.g., gateway device 101) to a layer 2 (L2)bump-in-the-wire service node for the service node to provide a serviceto data messages. In some embodiments, process 200 is performed by thedevice (e.g., gateway device 101). Process 200 begins by establishing(at 210) a connection to the L2 service node from a first interface 130of the device. The first interface has a first internet protocol (IP)address which, in some embodiments, is a private IP address that is notused by external networks. In some embodiments, the connection from thefirst interface is made through a first layer 2 switch (e.g., switch103A). A layer 2 switch, in some embodiments, learns associationsbetween ports (e.g., interface 130) of the switch and media accesscontrol (MAC) addresses of the devices connected to each port from asource MAC address field in the header of the data messages received atthe port. In some embodiments, the first switch is a logical switch thatis implemented by a physical switch (e.g. a virtual switch or a hardwareswitch).

The process continues by establishing (at 220) a second connection tothe L2 service node from a second interface of the device. The secondinterface has a second, internet protocol (IP) address different fromthe first interface which, in some embodiments, is a private IP addressthat is not used by external networks. In some embodiments, theconnection from the second interface is made through a second layer 2switch. The second layer 2 switch also learns MAC address/port pairingsfrom received data messages in some embodiments. The second switch, insome embodiments, is a logical switch that is implemented by any of avirtual switch or a hardware switch.

Once connections are established from the device, the process receives(at 230) a data message from another device (e.g., a physical router, ora T1 logical router for a specific tenant). The data message, in someembodiments, is a data message exchanged between an external network anda tenant logical network for which the device serves as a gatewaydevice. In some embodiments, the data message is a data messageexchanged between an external network and a device in a datacenter forwhich the device acts as a gateway device. The data message, in someembodiments, is directed from a device in a tenant logical network toanother device in a same datacenter or network for which the device actsas a gateway device (e.g., in a same tenant's logical network or adifferent tenant's logical network). The datacenter, in someembodiments, implements a set of logical networks for a set of tenants.In some embodiments, the data message is received on a third interfaceof the device. The third interface, in some embodiments, has an IPaddress that is advertised to external networks by the device.

After receiving the data message, the process determines (at 240)whether the data message requires the L2 bump-in-the-wire service. Insome embodiments, the determination is based on a value in a set ofheader fields of the received data message. The value that thedetermination is based on may be any combination of a source ordestination IP or MAC address, a protocol, and a port number. In someembodiments, a set of header fields are associated specifically with theL2 service (e.g., a network address translation (NAT) service or loadbalancing (LB) service may be addressable by a particular set of IPaddresses, or may be associated with an IP subnet for which they providethe service). The determination, in some embodiments, is made using arouting entry (e.g., a policy-based routing entry) that indicates acertain IP address or range of IP addresses should be forwarded to theMAC of the second interface from the first interface. The range of IPaddresses, in some embodiments, is associated with a network for whichthe L2 service is required. In some embodiments, the policy-basedrouting entry identifies values in a combination of fields used todetermine that a received data message should be forwarded to the MAC ofthe second interface from the first interface. The fields that may beused to specify data messages that should be forwarded to the MAC of thesecond interface from the first interface, in some embodiments, includea source IP address, destination IP address, source MAC address,destination MAC address, source port, destination port, and protocol.

The determination (at 240) whether the data message requires the L2bump-in-the-wire service, in some embodiments, also takes into accountthe logical network from which the data message was received. In someembodiments, each tenant logical network implements a tier 1 logicalrouter that connects to a tier 0 logical router executing on a gatewaydevice through a different logical interface. For data messages receivedon a particular logical interface, some embodiments, applylogical-interface-specific (e.g., tenant-specific) policies to determine(at 240) whether the data message requires the service. The tenant, insome embodiments, defines at least two “zones” that include differentdevices or interfaces and requires sets of services (e.g., servicesprovided by a service node) for data messages between each pair ofzones.

If the process determines (at 240) that the data message does notrequire the L2 service, the process (at 250) processes the data messageand forwards it towards its destination and the process ends. In someembodiments, the data message processing is logical processing performedby a software forwarding element implementing a logical forwardingelement or elements (e.g., a logical router, a logical switch, or both).

If the process determines (at 240) that the data message does requirethe L2 service, the process forwards (at 260) the data message out oneof the interfaces connected to the L2 service node to be received at theother interface connected to the L2 service node. In some embodiments,north-south traffic coming from an external network into a logicalnetwork for which the device is a gateway device is sent to the servicenode from the first interface to be received at the second interfacewhile south-north traffic from a logical network to the external networkis sent to the service node from the second interface to be received bythe first interface.

In some embodiments, forwarding (at 260) the data message includes anencapsulation or other marking operation to identify a particulartenant. For example, referring to FIG. 1 , a data message received fromlogical interface ‘1’ of gateway device 101 that requires the serviceprovided by service node 102, is encapsulated so that it will bereceived at logical interface ‘1’ of service node 102. Based on theencapsulation, service node 102 applies policies specific to tenant 1.Data messages sent between interfaces use the MAC addresses associatedwith the destination interface of the device which remains unchanged bythe processing performed by the L2 service node.

After forwarding (at 260) the data message out of one interfaceconnected to the L2 service node, the process receives (at 270) the datamessage at the other interface. In some embodiments, the received datamessage includes an encapsulation or marking associated with a specifictenant. The process then processes (at 250) the received data messageand forwards the data message towards its destination. In someembodiments, multiple L2 bump-in-the-wire services are independentlyprovided in a similar fashion.

FIG. 3 conceptually illustrates an embodiment in which an L2 service isprovided between two devices 301 by a service node in a cluster ofservice nodes 305. Device 301A is depicted as including router 310 andswitch 303A which, in some embodiments, are software executing on device301A. Router 310 and switch 303A, in some embodiments, implement logicalforwarding elements. In some embodiments, device 301A is a gatewaydevice connecting an internal network to an external network. Theinternal network is a physical network implementing a logical network insome embodiments, with device 301A implementing the logical forwardingelements using router 310 and switch 303A.

Connections to the service nodes 302, in the depicted embodiment, aremade through layer 2 switches 303. The different devices 301 connect tothe cluster of service nodes 302 through different switches 303. Theservice nodes 302 are depicted as a cluster of service nodes 305 in anactive-standby configuration that each connect to the same pair ofswitches. In some embodiments of an active-standby configuration, anactive service node provides the L2 service while the standby servicenodes drop all data messages that they receive. Failover between theactive and standby service nodes is handled by the L2 service nodes withno involvement of devices 301 in some embodiments.

Devices 301, in some embodiments, send heartbeat signals between the twointerfaces connected to the L2 service nodes in order to detect failureof the L2 service (e.g., a failure of all the service nodes). In someembodiments, the heartbeat signals are unidirectional heartbeat signals(e.g., a unidirectional bidirectional-forwarding-detection (BFD)session) sent from each interface to the other. The heartbeat signals,in some embodiments, use the IP address of the destination interface asthe destination IP address, but use a broadcast MAC address in order toreach the current active L2 service node in the case of a failover(i.e., an active service node failing and a standby service nodebecoming the new active service node).

FIG. 4 conceptually illustrates a process 400 for detecting failureusing the heartbeat signals. Process 400, in some embodiments, isexecuted by at least one device 301 and, in some embodiments, isexecuted by each device 301. Process 400 begins (at 410) by establishinga unidirectional session between the interface (e.g., 330A) thatconnects to the cluster of service nodes and the interface (e.g. 330B)of the device attached to the other switch connected to the cluster ofservice nodes.

The process subsequently sends (at 420) a heartbeat data message to thesecond device. In some embodiments, device 301A directs the data messageto the IP address of the interface of the second device (e.g., 330B)using a broadcast MAC address. The heartbeat data message has a sourceMAC address of the interface of the first device that is learned by theswitches connected to the service nodes and associated by the switcheswith the interfaces on which the heartbeat data message is received bythe switch.

The process receives (at 430) a heartbeat data message from the seconddevice. In some embodiments, the heartbeat messages are sent andreceived at intervals that are shorter than a timeout of a learned MACaddress/interface pairing in the switches (e.g., 303). In someembodiments, the received message is sent from the second devicedirected to the IP address of the first interface using a broadcast MACaddress.

At 440, the process determines that the service nodes (e.g., 302) havefailed. In some embodiments, the determination is made based on a timeelapsed since a last heartbeat message was received. The time elapsed todetermine failure of the service nodes (e.g., 302), in some embodiments,is based on the time between heartbeat signals, e.g., 5 heartbeatsignals, or on a failover time for the service nodes in a service nodecluster.

Upon determining (at 440) that a service node cluster has failed, theprocess performs (at 450) a default operation for subsequent packetsuntil the service is restored. In some embodiments, the defaultoperation is forwarding all data messages to their destination withoutsending them to be provided the L2 service. In other embodiments, thedefault operation is dropping all data messages that require the L2service until the L2 service is restored. In some embodiments, thedevice continues to send heartbeat data messages and determines that theservice has been restored when a heartbeat is received from the otherdevice or interface.

Additional embodiments utilize the unidirectional broadcast heartbeatsignals to decrease the time between a failover and data messages beingforwarded to the new active service node as well as detect a failure ofthe service node cluster. In embodiments with an L2 bump-in- the-wireservice between any two interfaces (e.g., between interfaces of twodevices, or between two interfaces of a same device) an architectureusing different L2 switches between each interface and the service nodecluster is used in conjunction with the unidirectional broadcastheartbeat signals to reduce the time to redirect data messages to thenew active service node. FIGS. 5 and 6 conceptually illustrate processesperformed by a service node and a switch, respectively, in some suchembodiments.

FIG. 5 conceptually illustrates a process 500 performed by a servicenode in some embodiments. Process 500 begins by receiving (at 510) datamessages sent from one of two interfaces in communication with eachother through the service node cluster including the service nodeperforming 500. When the service node is a standby service node, thedata messages are heartbeat data messages that are addressed to an IPaddress associated with either one of the two interfaces of the deviceor devices in communication with the service node and a broadcast MACaddress. In some embodiments, the heartbeat data messages are receivedfrom one of two interfaces connected to the service node cluster througha pair of switches as in FIG. 3 . When the service node is an activeservice node, the data messages include data messages requiring theservice provided by the service node cluster. In some embodiments, adata message is received with a context (e.g., an encapsulation or othermarking) that is understood by the service node to identify a particularset of policies to apply to the data message. The context, in someembodiments, identifies a set of policies that are for a specifictenant.

The process then processes (at 520) the data messages at the servicenode. When the service node is designated as a standby service node,processing a data message, in some embodiments, comprises dropping thedata message. Dropping data messages at the standby service node avoidsredundant processing and, in embodiments providing a stateful service,misprocessing based on a lack of current state information. When theservice node is designated, or acting, as an active service node,processing a heartbeat data message includes forwarding the data messageto the destination interface without alteration.

Processing the data message at an active node, in some embodiments,includes applying tenant-specific policies to the data message. Thetenant-specific policies are identified based on a context appended tothe data message by the device (e.g., a gateway device) that directs thedata message to the service node. Processing a data message requiringthe service at an active service node includes providing the service andforwarding the data message to the destination IP address withoutaltering the source and destination MAC addresses of the received datamessage.

A service node performing process 500, in some embodiments, acts as astandby service node at some times and, if an active service node fails,acts (or is designated) as the active service node at other times. Thefailover process between service nodes, in some embodiments, isindependent of the devices sending the heartbeat data messages. In someembodiments, the service node cluster has a control or managementcomputer or cluster that determines and designates the active servicenode. The control/management computer, in some embodiments, maintainsits own failure detection protocol (e.g., BFD) to detect the health ofthe service nodes in a service node cluster and initiate a failoverprocess.

FIG. 6 conceptually illustrates a process 600 performed by the switches,in some embodiments, to facilitate failover without the device, ordevices, that send data messages to the service node cluster being awareof a service node cluster failover operation. The process begins byreceiving (at 610) a data message from one of the interfaces of a devicesending data messages to the service node cluster through the switch.The data message, in some embodiments, is a heartbeat data message sentfrom one interface to another through the switches and service nodecluster. In some embodiments, the heartbeat data message uses abroadcast MAC address (i.e., FF:FF:FF:FF:FF:FF) as a destination MACaddress. The heartbeat data message also includes a MAC address of theinterface from which the data message was sent as a source MAC address.

The process then learns (at 620) a pairing between a port (e.g.interface) at which the data message was received and a MAC address usedas a source MAC address of the received data message. The learning, insome embodiments, is accomplished through a table or other datastructure that stores associations between MAC addresses and ports ofthe switch. The learned association is used to process subsequent datamessages addressed to the MAC address by forwarding the subsequent datamessage to the destination from the associated port.

The process then forwards (at 630) the received heartbeat data messageout all the ports other than the port on which it was received. Thebroadcast heartbeat data message is then received at the service nodesof the service node cluster as described in relation to operation 510 ofFIG. 5 for a particular service node. As described above in relation toFIG. 5 , only the active service node forwards the received heartbeatdata message to the second interface through the second switch. Thesecond switch receives the forwarded data message and associates theport connected to the active service node with the source MAC address ofthe heartbeat data message (i.e., the MAC address of the firstinterface) and forwards the heartbeat data message out all ports exceptfor the port at which it was received as will be described in relationto operations 640 and 650 for the first switch performing process 600.

The process then receives (at 640) a heartbeat data message from thesecond interface through an active service node. The heartbeat datamessage is received from the active service node, but not the standbyservice nodes as only the active service node allows data messages to beforwarded towards the destination. The heartbeat data message, in someembodiments, is received by the first switch after a second switchreceives the data message from the second interface. In someembodiments, the second interface sends the heartbeat data message usingthe second interface's MAC address as a source MAC address and abroadcast MAC address as the destination address. Based on the broadcastMAC address, the second switch floods the data message to all theservice nodes as described for the first switch in operation 630.

The process then learns (at 650) a pairing between a port at which thedata message was received and a MAC address used as a source MAC addressof the received data message (i.e., the MAC address of the secondinterface). The port that is associated with the second interface's MACaddress is the port connected to the active service node, because onlythe active service node forwards the data message to the first switch.The learned address/port pairing is stored, in some embodiments, in thesame table or other data structure that stores the association betweenthe MAC address of the first interface and the port at which the firstheartbeat data message was received. The learned association is used toprocess subsequent data messages addressed to the MAC address of thesecond interface by forwarding the subsequent data message to thedestination from the associated port. The switch has now learned theports associated with the MAC addresses of the first and secondinterfaces and can use those learned associations to process subsequentdata messages.

The process receives (at 660) a data message that requires the serviceprovided by the service node cluster. The data message is received atthe port of the switch that connects to the first interface, in someembodiments. The data message, in some embodiments, has a destinationaddress that is the MAC address of the second interface.

The process then forwards (at 670) the data message that requires theservice to the active service node. The process does not need to performan address resolution protocol (ARP) operation to identify the portbecause the MAC address/port pairing was previously learned as part oflearning operation 650. Additionally, if an active service node fails,the heartbeat data messages sent subsequent to the service node failoverprocess will be forwarded by the new active service node and the MACaddress/port pairings for the first and second interface MAC addresseswill be remapped to the ports connected to the new active service node.One of ordinary skill in the art will understand that operationsrelating to heartbeat data messages are independent of operationsrelated to data message processing for data messages received from anetwork connected to the device and may be omitted in some embodiments.

FIGS. 7A-B conceptually illustrates the flow of data messages in asingle device embodiment 700 for learning MAC addresses. As for device101 in FIG. 1 , Device 701 serves as a gateway device between networks710 and 720. Data message ‘1’ represents a heartbeat data message sentfrom an interface 730A to an interface 730C (e.g., a port) of a switch703A. Data message ‘1’ is a heartbeat data message that has (1) a sourceIP address (Src IP) that is the IP address of interface 730A, (2) asource MAC address (Src MAC) that is the MAC address of interface 730A(e.g., MAC 1), (3) a destination IP address (Dst IP) that is the IPaddress of interface 730B, and (4) a destination MAC address that is abroadcast MAC address (e.g., FF:FF:FF:FF:FF:FF). As described above,switch 703A receives data message ‘1’ at interface 730C and learns anassociation between MAC 1 and interface 730C, and forwards the datamessage as data messages ‘2’ to all other interfaces 730D-F of theswitch. Data message ‘2’ is received by service nodes 702A-C and isforwarded to interface 730G of switch 703B only by the active servicenode 702A as data message ‘3’ because standby service nodes 702B-C dropdata messages received based on their designation as standby servicenodes. Data messages ‘2’ and ‘3’ maintain the same source anddestination addresses as data message ‘1’ in some embodiments.

Switch 703B learns an association between MAC 1 and interface 730G asdiscussed above in relation to FIG. 6 . Data message ‘3’ is thenforwarded to all other interfaces of switch 703B (i.e., interfaces730H-J) as data message ‘4.’ Device 701 receives the heartbeat datamessage and determines that the service cluster has not failed. Standbyservice nodes 702B-C drop the data message. At this stage, anassociation between the MAC address of interface 730A and interfaces730C and 730G is learned by switches 703A and 703B respectively.

A similar heartbeat data message sent from the interface 730B causes anassociation between a MAC address of interface 730B (e.g., MAC 2) withinterfaces 730J and 730C to be learned by switches 703B and 703Arespectively. Data message ‘5’ represents a heartbeat data message sentfrom an interface 730B to an interface 730J (e.g., a port) of a switch703B. Data message ‘5’ is a heartbeat data message that has (1) a Src IPthat is the IP address of interface 730B, (2) a Src MAC that is the MACaddress of interface 730B (e.g., MAC 2), (3) a Dst IP that is the IPaddress of interface 730A, and (4) a destination MAC address that is abroadcast MAC address (e.g., FF:FF:FF:FF:FF:FF). As described above,switch 703B receives data message ‘5’ at interface 730J and learns anassociation between MAC 2 and interface 730J and forwards the datamessage as data messages ‘6’ to all other interfaces 730G-I of theswitch. Data message ‘6’ is received by service nodes 702A-C and isforwarded to interface 730D of switch 703A only by the active servicenode 702A as data message ‘7’ because standby service nodes 702B-C dropdata messages received based on their designation as standby servicenodes. Data messages ‘6’ and ‘7’ maintain the same source anddestination addresses as data message ‘5’ in some embodiments.

Switch 703A learns an association between MAC 2 and interface 730D asdiscussed above in relation to FIG. 6 . Data message ‘7’ is thenforwarded to all other interfaces of switch 703A (i.e., interfaces 730C,E, and F) as data message ‘8.’ Device 701 receives the heartbeat datamessage and determines that the service cluster has not failed. Standbyservice nodes 702B-C drop the data message. At this stage, anassociation between the MAC address of interface 730B and interfaces730D and 730J is learned by switches 703A and 703B respectively.

FIGS. 8 conceptually illustrates the processing of a data messagerequiring a service provided by the service node cluster 705 after theswitches have learned MAC address/interface associations from the datamessages depicted in FIG. 7 or in other ways, such as by using anaddress resolution protocol (ARP) operation. Data message ‘9’ representsa data message requiring the service provided by service node cluster705. Data message ‘9’ has (1) a Src IP that is the IP address ofinterface 730A, (2) a Src MAC that is the MAC address of interface 730A(e.g., MAC 1), (3) a Dst IP that is the IP address of interface 730B,and (4) a destination MAC address that is a MAC address of interface730B (e.g., MAC 2). Data message ‘9’ is sent from interface 730A tointerface 730C of switch 703A.

Upon receiving the data message, switch 703A consults the table or otherdata structure storing the MAC/interface associations to determine thatMAC 2 (i.e., the destination MAC address) is associated with interface730D and sends, as data message ‘10,’ the data message to service node702A using interface 730D. Service node 702A processes the data message,including providing the service provided by the service node cluster 705and sends the processed data message as data message ‘11’ to interface730G of switch 703B. Upon receiving data message ‘11,’ switch 703Bconsults the table or other data structure storing the MAC/interfaceassociations to determine that MAC 2 (i.e., the destination MAC address)is associated with interface 730J and sends, as data message ‘12,’ thedata message to interface 730B using interface 730J. Return datamessages are handled similarly.

FIGS. 9A-B conceptually illustrate the path of a data message after afailover, before and after a subsequent heartbeat message is sent froman interface 730 of device 701. FIG. 9A illustrates the failure ofservice node 702A and service node 702B being designated as the newactive service node. After the failure of service node 702A, datamessage ‘13’ is sent from interface 730A with the same Src IP, Src MAC,Dst IP, and Dst MAC as data message ‘9.’ Switch 703A sends data message‘14’ to service node 702A based on the association previously learnedbetween MAC 2 and interface 730D, however, service node 702A has failedand the data message is lost. In a setup without the heartbeat datamessages described in FIGS. 7A-B, the data messages in both directionswould continue to be dropped (i.e., black-holed) until a timeout of thelearned MAC address/interface associations, at which point a newlearning operation (e.g. an ARP operation) would be performed indicatingthat the MAC address should be associated with the interface connectedto the new active service node.

If, however, heartbeat data message ‘15’ is sent from interface 730B(using the same combination of Src IP, Src MAC, Dst IP, and Dst MAC asdata message ‘5’), switch 703B once again floods the data message asdata messages ‘16’ as described in relation to data message ‘6’ and thenew active service node 702B receives and forwards the data message toswitch 703A (not depicted). This causes switch 703A to update its MACaddress/interface table or other data structure to indicate anassociation between MAC 2 and interface 730E connected to service node702B. Using this updated association allows subsequently received datamessage requiring the service provided by service node cluster 705 tofollow a path illustrated by data messages ‘17’-‘20’ without any changein the set of Src IP, Src MAC, Dst IP, and Dst MAC at the device 701 fordata messages going in the same direction. Heartbeat data messages aresent at time intervals that are shorter than a timeout interval forlearned MAC address/interface associations so that in the case ofservice node failover, the service is restored based on the shorterheartbeat data message interval rather than the longer timeout intervalfor learned MAC address/interface associations.

FIGS. 10A-B conceptually illustrates an embodiment in which theheartbeat data messages are used to detect failure of a service nodecluster as discussed in relation to FIG. 4 . FIG. 10A illustrates thesame elements as in FIG. 3 , however in FIG. 10A two of the threeservice nodes 302 have failed (i.e., 302A and 302C). A first heartbeatdata message, data message ‘1,’ is sent from interface 330A to interface330B. Data message ‘1’ traverses switch 303A, service node 302B andswitch 303B before arriving at interface 330B. a heartbeat data message,data message ‘2,’ is sent from interface 330B to interface 330Atraversing switch 303B, service node 302B and switch 303A before beingreceived by device 301A at interface 330A. As described in relation toFIG. 7 , data messages ‘3’ and ‘4’ represent the rest of the datapathfor heartbeat data messages. These heartbeat data messages are used todetermine that the service node cluster 305 is still functioning (e.g.,still providing the service).

FIG. 10B illustrates a heartbeat data message being unable to reach adestination interface after the failure of all the service nodes 302 inservice node cluster 305. Data messages ‘5’ and ‘6’ represent heartbeatdata messages that are sent by interface 330A and 330B respectively.Data messages ‘5’ and ‘6’ arrive at switches 303A and 303B respectively,are forwarded to all the service nodes 302A-C, as data messages ‘7’ and‘8’ respectively, based on the broadcast destination MAC address, butare not forwarded towards the other interface because the service nodeshave failed. In some embodiments, the failure of the service nodes isbased on a connection failure between the switches and the service nodeor between the interface of the devices 301 and a switch 303. One ofordinary skill in the art would understand that the same service nodecluster failure detection would function in the same way between twointerfaces of a single device. In embodiments in which the twointerfaces belong to a same device, failure detection may also be basedon the fact that data messages the device sends out one interface arenot received at the other interface which may enable faster failuredetection than a system that is not aware of when heartbeat datamessages are sent by the other device.

As discussed above in relation to FIG. 4 , after a certain time interval(e.g., representing a certain number of missed heartbeat data messages)during which a heartbeat data message has not been received, devices 301determine that the service node cluster 305 has failed and perform adefault operation for data messages requiring the service provided bythe service node cluster 305. In some embodiments, the default operationis to forward the data messages without providing the service (e.g., afail-open condition) while in other embodiments, the default operationis to drop the data messages requiring the service (e.g., a fail-closedcondition) until the service is restored. A fail-open condition may bemore appropriate for services such as load balancing where security isnot an issue while fail-closed may be more appropriate for a firewalloperation relating to security and a network address translation (NAT)service which generally requires state information that is maintained bythe service node providing the service.

FIG. 11 illustrates an embodiment including gateway device 701A andgateway device 701B that each act at a border between network 710 (e.g.,an external network) and network 720 (e.g., an internal/logicalnetwork). The elements of FIG. 11 act as the similarly numbered elementsof FIG. 7 with the additional designation of one of the devices 701 asthe active gateway device (e.g., gateway device 701A). The activegateway device 701A, in some embodiments receives all data messagesexchanged between the networks 710 and 720. In some embodiments, thegateway devices also execute centralized aspects of a logical router fora logical network implemented in network 720. In some embodiments usinga centralized logical router in the gateway devices, only one gatewaydevice provides the centralized logical router services.

FIG. 12 conceptually illustrates an electronic system 1200 with whichsome embodiments of the invention are implemented. The electronic system1200 can be used to execute any of the control, virtualization, oroperating system applications described above. The electronic system1200 may be a computer (e.g., a desktop computer, personal computer,tablet computer, server computer, mainframe, a blade computer etc.),phone, PDA, or any other sort of electronic device. Such an electronicsystem includes various types of computer readable media and interfacesfor various other types of computer readable media. Electronic system1200 includes a bus 1205, processing unit(s) 1210, a system memory 1225,a read-only memory (ROM) 1230, a permanent storage device 1235, inputdevices 1240, and output devices 1245.

The bus 1205 collectively represents all system, peripheral, and chipsetbuses that communicatively connect the numerous internal devices of theelectronic system 1200. For instance, the bus 1205 communicativelyconnects the processing unit(s) 1210 with the read-only memory 1230, thesystem memory 1225, and the permanent storage device 1235.

From these various memory units, the processing unit(s) 1210 retrieveinstructions to execute and data to process in order to execute theprocesses of the invention. The processing unit(s) may be a singleprocessor or a multi-core processor in different embodiments.

The read-only-memory 1230 stores static data and instructions that areneeded by the processing unit(s) 1210 and other modules of theelectronic system. The permanent storage device 1235, on the other hand,is a read-and-write memory device. This device is a non-volatile memoryunit that stores instructions and data even when the electronic system1200 is off. Some embodiments of the invention use a mass-storage device(such as a magnetic or optical disk and its corresponding disk drive) asthe permanent storage device 1235.

Other embodiments use a removable storage device (such as a floppy disk,flash drive, etc.) as the permanent storage device. Like the permanentstorage device 1235, the system memory 1225 is a read-and-write memorydevice. However, unlike storage device 1235, the system memory is avolatile read-and-write memory, such as random access memory. The systemmemory stores some of the instructions and data that the processor needsat runtime. In some embodiments, the invention's processes are stored inthe system memory 1225, the permanent storage device 1235, and/or theread-only memory 1230. From these various memory units, the processingunit(s) 1210 retrieve instructions to execute and data to process inorder to execute the processes of some embodiments.

The bus 1205 also connects to the input and output devices 1240 and1245. The input devices enable the user to communicate information andselect commands to the electronic system. The input devices 1240 includealphanumeric keyboards and pointing devices (also called “cursor controldevices”). The output devices 1245 display images generated by theelectronic system. The output devices include printers and displaydevices, such as cathode ray tubes (CRT) or liquid crystal displays(LCD). Some embodiments include devices such as a touchscreen thatfunction as both input and output devices.

Finally, as shown in FIG. 12 , bus 1205 also couples electronic system1200 to a network 1265 through a network adapter (not shown). In thismanner, the computer can be a part of a network of computers (such as alocal area network (“LAN”), a wide area network (“WAN”), or an Intranet,or a network of networks, such as the Internet. Any or all components ofelectronic system 1200 may be used in conjunction with the invention.

Some embodiments include electronic components, such as microprocessors,storage and memory that store computer program instructions in amachine-readable or computer-readable medium (alternatively referred toas computer-readable storage media, machine-readable media, ormachine-readable storage media). Some examples of such computer-readablemedia include RAM, ROM, read-only compact discs (CD-ROM), recordablecompact discs (CD-R), rewritable compact discs (CD-RW), read-onlydigital versatile discs (e.g., DVD-ROM, dual-layer DVD-ROM), a varietyof recordable/rewritable DVDs (e.g., DVD-RAM, DVD-RW, DVD+RW, etc.),flash memory (e.g., SD cards, mini-SD cards, micro-SD cards, etc.),magnetic and/or solid state hard drives, read-only and recordableBlu-Ray® discs, ultra density optical discs, any other optical ormagnetic media, and floppy disks. The computer-readable media may storea computer program that is executable by at least one processing unitand includes sets of instructions for performing various operations.Examples of computer programs or computer code include machine code,such as is produced by a compiler, and files including higher-level codethat are executed by a computer, an electronic component, or amicroprocessor using an interpreter.

While the above discussion primarily refers to microprocessor ormulti-core processors that execute software, some embodiments areperformed by one or more integrated circuits, such as applicationspecific integrated circuits (ASICs) or field programmable gate arrays(FPGAs). In some embodiments, such integrated circuits executeinstructions that are stored on the circuit itself.

As used in this specification, the terms “computer”, “server”,“processor”, and “memory” all refer to electronic or other technologicaldevices. These terms exclude people or groups of people. For thepurposes of the specification, the terms display or displaying meansdisplaying on an electronic device. As used in this specification, theterms “computer readable medium,” “computer readable media,” and“machine readable medium” are entirely restricted to tangible, physicalobjects that store information in a form that is readable by a computer.These terms exclude any wireless signals, wired download signals, andany other ephemeral signals.

This specification refers throughout to computational and networkenvironments that include virtual machines (VMs). However, virtualmachines are merely one example of data compute nodes (DCNs) or datacompute end nodes, also referred to as addressable nodes. DCNs mayinclude non-virtualized physical hosts, virtual machines, containersthat run on top of a host operating system without the need for ahypervisor or separate operating system, and hypervisor kernel networkinterface modules.

VMs, in some embodiments, operate with their own guest operating systemson a host machine using resources of the host machine virtualized byvirtualization software (e.g., a hypervisor, virtual machine monitor,etc.). The tenant (i.e., the owner of the VM) can choose whichapplications to operate on top of the guest operating system. Somecontainers, on the other hand, are constructs that run on top of a hostoperating system without the need for a hypervisor or separate guestoperating system. In some embodiments, the host operating system usesname spaces to isolate the containers from each other and thereforeprovides operating-system level segregation of the different groups ofapplications that operate within different containers. This segregationis akin to the VM segregation that is offered in hypervisor-virtualizedenvironments that virtualize system hardware, and thus can be viewed asa form of virtualization that isolates different groups of applicationsthat operate in different containers. Such containers are morelightweight than VMs.

Hypervisor kernel network interface modules, in some embodiments, is anon-VM DCN that includes a network stack with a hypervisor kernelnetwork interface and receive/transmit threads. One example of ahypervisor kernel network interface module is the vmknic module that ispart of the ESXi™ hypervisor of VMware, Inc.

It should be understood that while the specification refers to VMs, theexamples given could be any type of DCNs, including physical hosts, VMs,non-VM containers, and hypervisor kernel network interface modules. Infact, the example networks could include combinations of different typesof DCNs in some embodiments.

While the invention has been described with reference to numerousspecific details, one of ordinary skill in the art will recognize thatthe invention can be embodied in other specific forms without departingfrom the spirit of the invention. In addition, a number of the figures(including FIGS. 2 and 4-6 ) conceptually illustrate processes. Thespecific operations of these processes may not be performed in the exactorder shown and described. The specific operations may not be performedin one continuous series of operations, and different specificoperations may be performed in different embodiments. Furthermore, theprocess could be implemented using several sub-processes, or as part ofa larger macro process. Thus, one of ordinary skill in the art wouldunderstand that the invention is not to be limited by the foregoingillustrative details, but rather is to be defined by the appendedclaims.

1-19. (canceled)
 20. A method for performing a service at an edge routercomprising first and second interfaces, the method comprising:configuring the edge router to send, through the first interface, packetflows to a service machine to perform the service and to receive, fromthe second interface, the serviced packet flows; configuring the edgerouter to send, from the first interface, a first set of heartbeat datamessages to the service machine and to process a second set of heartbeatdata messages received from the service machine along the secondinterface; and configuring the edge router to determine that the servicemachine has failed based on a period of time associated with receivingheartbeat data messages in the second set of heartbeat data messages.21. The method of claim 20, wherein data messages in the first set ofheartbeat data messages traverse a datapath comprising a first switchthrough which the first set of heartbeat data messages traverse from thefirst interface to the service machine, and a second switch throughwhich the second set of heartbeat data messages traverse from theservice machine to the second interface.
 22. The method of claim 21,wherein each switch associates a port of the switch with media accesscontrol (MAC) addresses used as source addresses for data messagesreceived at the port.
 23. The method of claim 22, wherein the periodbetween data messages in each of the first and second sets of heartbeatdata messages is less than a time period for a timeout of a learnedmedia access control (MAC) address.
 24. The method of claim 20, whereinthe service machine is part of a cluster of service machines thatperform the service, and the data messages of the first set of datamessages use a broadcast destination media access control (MAC) addressin order to reach the service machine that is the active service machinein the cluster to perform the service.
 25. The method of claim 24,wherein the service machines provides the service for packet flowswithout changing source and destination media access control (MAC)addresses of the packet flows.
 26. The method of claim 24, wherein thecluster of service machines determines which service machine in thecluster is the active independent of the heartbeat data messages sent toand from the edge router.
 27. The method of claim 24, wherein datamessages in the first set of heartbeat data messages traverse a datapathcomprising a first switch through which the first set of heartbeat datamessages traverse from the first interface to the service machine, and asecond switch through which the second set of heartbeat data messagestraverse from the service machine to the second interface, the firstswitch associates a MAC address of the first interface with a first portto which the first interface is connected based on the first datamessage being received from the first interface, and the second switchassociates the MAC address of the first interface with a second port towhich the active service machine is connected based on the first datamessage being received from the active service machine.
 28. The methodof claim 20 further comprising dropping data messages that require theservice determining that the service machine has failed.
 29. The methodof claim 20, wherein the particular service is one of a firewalloperation, a network address translation, and a load balancingoperation, and the service machine is a service virtual machine or aservice appliance.
 30. A non-transitory machine readable medium storinga program which when executed by at least one processing unit configuresan edge router comprising first and second interfaces to provide aservice for a plurality of packet flows processed by the edge router,the program comprising sets of instructions for: configuring the edgerouter to send, through the first interface, packet flows to a servicemachine to perform the service and to receive, from the secondinterface, the serviced packet flows; configuring the edge router tosend, from the first interface, a first set of heartbeat data messagesto the service machine and to process a second set of heartbeat datamessages received from the service machine along the second interface;and configuring the edge router to determine that the service machinehas failed based on a period of time associated with receiving heartbeatdata messages in the second set of heartbeat data messages.
 31. Thenon-transitory machine readable medium of claim 30, wherein datamessages in the first set of heartbeat data messages traverse a datapathcomprising a first switch through which the first set of heartbeat datamessages traverse from the first interface to the service machine, and asecond switch through which the second set of heartbeat data messagestraverse from the service machine to the second interface.
 32. Thenon-transitory machine readable medium of claim 31, wherein each switchassociates a port of the switch with media access control (MAC)addresses used as source addresses for data messages received at theport.
 33. The non-transitory machine readable medium of claim 32,wherein the period between data messages in each of the first and secondsets of heartbeat data messages is less than a time period for a timeoutof a learned media access control (MAC) address.
 34. The non-transitorymachine readable medium of claim 30, wherein the service machine is partof a cluster of service machines that perform the service, and the datamessages of the first set of data messages use a broadcast destinationmedia access control (MAC) address in order to reach the service machinethat is the active service machine in the cluster to perform theservice.
 35. The non-transitory machine readable medium of claim 34,wherein the service machines provides the service for packet flowswithout changing source and destination media access control (MAC)addresses of the packet flows.
 36. The non-transitory machine readablemedium of claim 34, wherein the cluster of service machines determineswhich service machine in the cluster is the active independent of theheartbeat data messages sent to and from the edge router.
 37. Thenon-transitory machine readable medium of claim 34, wherein datamessages in the first set of heartbeat data messages traverse a datapathcomprising a first switch through which the first set of heartbeat datamessages traverse from the first interface to the service machine, and asecond switch through which the second set of heartbeat data messagestraverse from the service machine to the second interface, the firstswitch associates a MAC address of the first interface with a first portto which the first interface is connected based on the first datamessage being received from the first interface, and the second switchassociates the MAC address of the first interface with a second port towhich the active service machine is connected based on the first datamessage being received from the active service machine.
 38. Thenon-transitory machine readable medium of claim 30 further comprisingdropping data messages that require the service determining that theservice machine has failed.
 39. The non-transitory machine readablemedium of claim 30, wherein the particular service is one of a firewalloperation, a network address translation, and a load balancingoperation, and the service machine is a service virtual machine or aservice appliance.